* P. Kallakuri (praveen@unlserve.unl.edu) [030825 13:55]: > [...] when i ssh to the > gateway from localhost@some-internet-domain with the -L > 5903:vncserver:5903 option and forward from the gateway to the vncserver > using another ssh -L ..., i am not able to connect to the vncserver at > port 5903 on localhost. with a RealVNC viewer, i get an error like > "channel 2 or 4: administratively prohibited" and with TightVNC, i get > just a connection failure. [...] > why isn't the gateway/firewall allowing vnc ports to be forwarded to the > vncserver? or isn't that the problem? [...] No, that's not the problem. An ssh tunnel means that the traffic is all tunneled through the existing ssh connection. No, the gateway will not open up any new ports, and no, iptables won't need to allow any new ports. The gateway is listening on port 22, and vncserver is listening on port 5903. That's all that matters. Say you're connected from your laptop to the gateway: laptop$ ssh gateway Then there's one connection: from the laptop to the gateway's port 22 (ssh). You can use netstat to confirm this. Let's say you then open up a tunnel: ~C ssh> -L5903:vncserver:5903 Forwarding port. There's still only one connection active. The only thing that has changed is that now your laptop is also listening on localhost:5903. When a connection is made to localhost:5903, the ssh tunnel kicks in, tunneling packets from the local vnc client to the vncserver on the other side of the gateway. No new connections are made to the gateway. All the traffic between the laptop and the gateway is just through the same, already open ssh connection. The vncserver will see a connection coming from the gateway. I don't know what sort of host-based access control the vnc server uses, but make sure it allows connections from the gateway's internal address. good times, Vineet -- http://www.doorstop.net/ -- --Nick Moffitt A: No. Q: Should I include quotations after my reply?
Attachment:
pgpzWBb6Ph6uo.pgp
Description: PGP signature